Analysis Overview
SHA256
d95e98146e5b40222122868c32347cfdccc4958b582dc00b38f40ba9c97b425c
Threat Level: Known bad
The file build.exe was found to be: Known bad.
Malicious Activity Summary
Redline family
SectopRAT
RedLine payload
SectopRAT payload
Sectoprat family
RedLine
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-07-26 02:20
Signatures
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Redline family
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Sectoprat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral5
Detonation Overview
Submitted
2024-07-26 02:20
Reported
2024-07-26 02:23
Platform
win11-20240709-en
Max time kernel
142s
Max time network
150s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | finance-lot.gl.at.ply.gg | udp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 16.221.185.147.in-addr.arpa | udp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
Files
memory/4776-0-0x000000007487E000-0x000000007487F000-memory.dmp
memory/4776-1-0x0000000000AC0000-0x0000000000ADE000-memory.dmp
memory/4776-2-0x0000000005B90000-0x00000000061A8000-memory.dmp
memory/4776-3-0x0000000005540000-0x0000000005552000-memory.dmp
memory/4776-4-0x00000000055B0000-0x00000000055EC000-memory.dmp
memory/4776-5-0x00000000055F0000-0x000000000563C000-memory.dmp
memory/4776-6-0x0000000074870000-0x0000000075021000-memory.dmp
memory/4776-7-0x0000000005850000-0x000000000595A000-memory.dmp
memory/4776-8-0x000000007487E000-0x000000007487F000-memory.dmp
memory/4776-9-0x0000000074870000-0x0000000075021000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-26 02:20
Reported
2024-07-26 02:23
Platform
win10-20240611-en
Max time kernel
145s
Max time network
157s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | finance-lot.gl.at.ply.gg | udp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 16.221.185.147.in-addr.arpa | udp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 253.15.104.51.in-addr.arpa | udp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
Files
memory/4928-0-0x0000000073A7E000-0x0000000073A7F000-memory.dmp
memory/4928-1-0x0000000000F70000-0x0000000000F8E000-memory.dmp
memory/4928-2-0x0000000005E80000-0x0000000006486000-memory.dmp
memory/4928-3-0x0000000005790000-0x00000000057A2000-memory.dmp
memory/4928-4-0x00000000057F0000-0x000000000582E000-memory.dmp
memory/4928-5-0x0000000005870000-0x00000000058BB000-memory.dmp
memory/4928-6-0x0000000073A70000-0x000000007415E000-memory.dmp
memory/4928-7-0x0000000005AA0000-0x0000000005BAA000-memory.dmp
memory/4928-8-0x0000000073A7E000-0x0000000073A7F000-memory.dmp
memory/4928-9-0x0000000073A70000-0x000000007415E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-26 02:20
Reported
2024-07-26 02:23
Platform
win7-20240704-en
Max time kernel
144s
Max time network
149s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | finance-lot.gl.at.ply.gg | udp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
Files
memory/1944-0-0x0000000074CAE000-0x0000000074CAF000-memory.dmp
memory/1944-1-0x0000000000B00000-0x0000000000B1E000-memory.dmp
memory/1944-2-0x0000000074CA0000-0x000000007538E000-memory.dmp
memory/1944-3-0x0000000074CAE000-0x0000000074CAF000-memory.dmp
memory/1944-4-0x0000000074CA0000-0x000000007538E000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-07-26 02:20
Reported
2024-07-26 02:23
Platform
win10-20240611-en
Max time kernel
148s
Max time network
158s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | finance-lot.gl.at.ply.gg | udp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 16.221.185.147.in-addr.arpa | udp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
Files
memory/4756-0-0x000000007337E000-0x000000007337F000-memory.dmp
memory/4756-1-0x00000000006F0000-0x000000000070E000-memory.dmp
memory/4756-2-0x00000000055D0000-0x0000000005BD6000-memory.dmp
memory/4756-3-0x0000000004F10000-0x0000000004F22000-memory.dmp
memory/4756-4-0x0000000004F70000-0x0000000004FAE000-memory.dmp
memory/4756-5-0x0000000004FC0000-0x000000000500B000-memory.dmp
memory/4756-6-0x0000000073370000-0x0000000073A5E000-memory.dmp
memory/4756-7-0x0000000005220000-0x000000000532A000-memory.dmp
memory/4756-8-0x000000007337E000-0x000000007337F000-memory.dmp
memory/4756-9-0x0000000073370000-0x0000000073A5E000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-07-26 02:20
Reported
2024-07-26 02:23
Platform
win10v2004-20240709-en
Max time kernel
145s
Max time network
157s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\build.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\build.exe
"C:\Users\Admin\AppData\Local\Temp\build.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | finance-lot.gl.at.ply.gg | udp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 16.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
| US | 147.185.221.16:36936 | finance-lot.gl.at.ply.gg | tcp |
Files
memory/2608-0-0x000000007495E000-0x000000007495F000-memory.dmp
memory/2608-1-0x0000000000960000-0x000000000097E000-memory.dmp
memory/2608-2-0x0000000005890000-0x0000000005EA8000-memory.dmp
memory/2608-3-0x00000000051E0000-0x00000000051F2000-memory.dmp
memory/2608-4-0x0000000005270000-0x00000000052AC000-memory.dmp
memory/2608-5-0x0000000005200000-0x000000000524C000-memory.dmp
memory/2608-6-0x0000000074950000-0x0000000075100000-memory.dmp
memory/2608-7-0x00000000054F0000-0x00000000055FA000-memory.dmp
memory/2608-8-0x000000007495E000-0x000000007495F000-memory.dmp
memory/2608-9-0x0000000074950000-0x0000000075100000-memory.dmp